cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
570
Views
0
Helpful
1
Replies

8.4 SNAT from Outside

uber_cookie
Level 1
Level 1

Hi

Could anyone tell me why this statement does not work? (No real IPs useD) DMZ Interface is 10.0.0.1/24

nat (outside,dmz) source dynamic any  interface destination static OBJECT-01 OBJECT-01

!

object network OBJECT-01

host 10.0.0.2

nat (dmz,outside) static 1.1.1.1 dns

Also tested:

nat (outside,dmz) source dynamic any  interface destination static OBJECT-01-out OBJECT-01-in

!

object network OBJECT-01-out

host 1.1.1.1

!

object network OBJECT-01

host 10.0.0.2

nat (dmz,outside) static 1.1.1.1 dns

It works fine as following:

nat (outside,dmz) source dynamic any PAT-DMZ destination static OBJECT-01-out OBJECT-01-in

!

object network OBJECT-01-out

host 10.0.0.254

!

object network OBJECT-01-out

host 1.1.1.1

!

object network OBJECT-01

host 10.0.0.2

nat (dmz,outside) static 1.1.1.1 dns

Thank you

1 Reply 1

Julio Carvajal
VIP Alumni
VIP Alumni

Hello,

1-Can you share the PAT-DMZ host

2- Why are you performing 2 different nats for the same purpose, I mean you are already letting the ASA now that if any outside users on the outside contact this ASA for the Ip address of Object-01 (1.1.1.1) the destination should be untranslated to 10.0.0.2 and the source should be translated to the PAT-DMZ ip.

So from my point of view you only need this:

nat (outside,dmz) source dynamic any PAT-DMZ destination static OBJECT-01-out OBJECT-01-in

With that line you are translating both the source and destination on one single line,

Let me know If I understood the question properly

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: